Connected vehicles on road showing enforcement of privacy laws

Data Flowing From Connected Vehicles May Cause Manufacturers to Run Afoul of California Privacy Law

Connected vehicles are a phenomenon that is still less than two decades old, and it has been less than a decade since the major manufacturers in the US made these features standard in most of their vehicle lines. As with many other aspects of data privacy, there is almost no regulation of the personal information that vehicles collect at the federal level.

The state of California is about to open its first case regarding connected vehicles and data privacy, under the new terms of the California Privacy Rights Act (CPRA). The California Privacy Protection Agency (CPPA) will be examining a broad range of data collected by car manufacturers, including what the vehicle cameras capture and what is passing through their apps.

Unregulated personal information flows from connected vehicles to data brokers

The internet features of connected vehicles are generally employed in some sort of useful function: cameras for security and automated operation, location data for GPS navigation, streaming radio or video for kids in the backseat, and so on. But this collection of information is also ideal for targeted marketing purposes, and there is not much law standing in the way of it being used in that manner.

Though federal law does not restrict connected vehicles in this way, some states have applicable law either in place or about to come online. California is now under the “upgraded” CPRA as of the end of March 2023, though the original target date for enforcement to begin (July 1) has been pushed all the way back to March 29, 2024. That regulatory power will now be exercised to examine the trove of personal data that connected cars are collecting, how long manufacturers are storing it, and what they are sharing with data brokers.

Vehicle owners are also increasingly unable to opt out of internet features, and have few options available unless they shop for something more than five or so years old. Some research estimates that 91% of new vehicles sold in the US are now kitted out with “connected car” functions of some sort, and by 2023 that number will hit 96%. Worldwide the number of new cars outfitted in this way is pushing 50%.

Consumers may be able to avoid starting a car or controlling its functions with its mobile app, but there are a number of elements that cannot be disabled. The skyrocketing popularity of the Tesla S in the early 2010s was the driver for a good deal of the connected car trend, which came standard with a cabin camera meant to monitor potential driver inattentiveness when using the “Autopilot” feature (along with a number of exterior cameras). As the automated driving features were expanded, beginning with the Model 3 in 2017, the number of cameras on the car also expanded.

While not all connected vehicles offer automated driving features, or have the associated collection of cameras, at minimum nearly all now have a location tracking feature that usually cannot be disabled. Some also come with a default satellite radio, which appears to be solely for the purpose of pushing an optional subscription when the initial free trial period runs out. Some also have a default microphone feature, advertised as an emergency safety feature that needs to remain accessible at all times even if the driver has no other use for it.

The most connected of these vehicles, electric cars with automated driving features like Teslas, can collect as much as 19 terabytes of data per day from customers. Tesla recently announced plans to build a supercomputer to store and process the reams of data its vehicles are constantly collecting.

Manufacturer data disclosures tend to be opaque, opt-outs not always possible

While consumers seem to be broadly aware that their connected vehicles are capable of capturing all sorts of personal data, they may not be as aware of how it’s being packaged and sold as an added revenue stream for vehicle manufacturers. This is rapidly becoming a multi-billion-dollar industry with a variety of takers for this data: gas stations that want to know where people stop and what they buy, insurance companies that want to know what drivers are doing on the road, and fleet managers that want more detailed data on parts and reliability, just to name a few of the biggest customers.

It is very difficult for consumers to tell exactly what is being collected by connected vehicles. Manufacturers are under no obligation to fully disclose, and the prevailing legal opinion is that they own the data that cars generate. Reporters from the Washington Post resorted to hacking a 2017 Chevy sedan to discover an always-on internet connection that continually logs precise location, the IDs of connected phones and numbers they call along with email contact lists, and telemetrics that include driver performance.